CiviCRM cloud hosting
Website Express' Cloud CiviCRM Hosting service offers you all the benefits of a secure, fully managed, high performance, always available hosted CiviCRM solution without needing any infrastructure or a dedicated technical team.
A robust Service Level Agreement is underpinned by guaranteed response times and provided by highly experienced CiviCRM engineers.
- CiviCRM 4 and CiviCRM 5 compatible
- Apache Solr powered search engine
- Worldwide Content Delivery Network
- Web Application Firewall
- Web-based control panel
- Auto-scaling to demand and load spikes
- Zero configuration (optimal performance & security pre-configured)
- Open Source, since 2009, complete high performance CiviCRM server stack
- High performance with redis cache, PHP-FPM, Nginx and CDN
- High security with server guard, WAF and IDS
- Fast page load times keep users engaged
- High performance hosting ranks well in search engines
- High security gives peace of mind
- Robust, proven CiviCRM functionality, tried and tested by governments worldwide
- CiviCRM 4 and CiviCRM 5 public sector experience
- UK based agency, CiviCRM team and hosting location
- Open source excellent value for money
- Future proof with millions of sites already using
- Fast implementation and deployment
- No management headaches
£525 to £1800 per unit per month
- Education pricing available
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
Website Express Ltd.
029 2000 4547
|Service constraints||If you'd like us to migrate or support an existing CiviCRM website or online application that has been built by another provider, we will first need to validate existing GDPR compliance, security, accessibility, usability and compatibility with a site audit.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Response time are agreed as part of an SLA.
Typical response times are:
Priority 1 - 1 hour
Priority 2 - 4 hours
Priority 3 - 8 hours
Priority 4 - 16 hours
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||WCAG 2.1 AAA|
|Phone support availability||24 hours, 7 days a week|
|Web chat support||Yes, at an extra cost|
|Web chat support availability||24 hours, 7 days a week|
|Web chat support accessibility standard||WCAG 2.1 AAA|
|Web chat accessibility testing||Our open source web chat technology meets WCAG 2.1 AAA accessibility guidelines and the code has been written so that the chat box is navigable by keyboard using screen reader software, which has undergone community testing by the Drupal project.|
|Onsite support||Yes, at extra cost|
Together with our fully managed hosting platform, we offer two support options. Your Website Express project manager will be your single point of contact for the duration of your support contract.
• Standard Support - Work is billed to the nearest 30 minutes and charged at our standard rates with no surcharges - £600 a day. Support will be provided during office hours, Monday to Friday, 9.00 to 5.30pm. For additional cover, see our 24/7/365 support offering below.
Support time is flexible and can be used for support or ad-hoc development requests.
• 24/7/365 Support - for clients who demand the highest level of service. This is 24 hours a day, seven days a week, 365 days a year and available as an addition to our Standard Support above. This level of support costs an additional £650 a month.
In the unlikely event of your website or application becoming totally unavailable, our support team will be notified and take immediate action 24/7 to identify and resolve the issue regardless of the support level.
|Support available to third parties||Yes|
Onboarding and offboarding
We provide onsite training, user documentation and telephone support for client onboarding.
For complex onboarding, we also offer a paid bespoke service where we will perform the onboarding for you.
|End-of-contract data extraction||We will provide full access to the CRM or application software code. We will also provide full access to the database and files on your server environment. We can also help with extracting this for you if required.|
We will provide full access to the CRM or application software code. We will also provide full access to the database and files on your server environment. We can also help with extracting this for you if required.
This is all included as standard within the price of the contract. Additional support would be chargeable.
Using the service
|Web browser interface||Yes|
|Using the web interface||
Full site administration is provided, including the ability to:
- Create, clone, and migrate CiviCRM instances.
- Verity sites.
- Reset passwords.
- Run scheduled tasks.
- Create and restore backups on demand.
- Disable or delete a site.
- Run database updates.
These options may be limited by role.
|Web interface accessibility standard||WCAG 2.1 AAA|
|Web interface accessibility testing||Our open source web technology meets WCAG 2.1 AAA accessibility guidelines and the code has been written so that the chat box is navigable by keyboard using screen reader software, which has undergone community testing by the Drupal and CiviCRM projects.|
|What users can and can't do using the API||
CiviCRM has a stable comprehensive API (Application Programming Interface) that can be used to access and manage data in CiviCRM. The API is the recommended way for any CiviCRM extension, CMS module, or external program to interact with CiviCRM.
Utilizing the API is superior to accessing core functions directly (e.g. calling raw SQL, or calling functions within the BAO files) because the API offers a consistent interface to CiviCRM's features. It is designed to function predictably with every new release so as to preserve backwards compatibility of the API for several versions of CiviCRM.
Full details can be found at: https://docs.civicrm.org/dev/en/latest/api/
|API automation tools||
|API documentation formats||
|Command line interface||Yes|
|Command line interface compatibility||
|Using the command line interface||
CiviCRM supports the Drupal Drush command line interface and this allows access to all API functions on the command line.
Full details can be seen here:
|Independence of resources||
Each hosting unit is able to auto-scaling up to 128 GB RAM and 24 CPU Real Threads. Fast SSD plus SAS 15K in RAID6 provide high speed and best reliability.
For large applications, any number of hosting units may be purchased to cover usual levels of demand, with automatic scaling of RAM and CPU for short load peaks beyond these limits.
|Infrastructure or application metrics||Yes|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||In-house destruction process|
Backup and recovery
|Backup and recovery||Yes|
|What’s backed up||
All facets of a hosted environment are backed up automatically either every 24 hours or hourly depending upon customer requirements.
Backups are stored locally on the hosting platform, in the same datacentre on different equipment for redundancy and also in another datacentre for disaster recovery purposes.
|Datacentre setup||Multiple datacentres with disaster recovery|
|Scheduling backups||Supplier controls the whole backup schedule|
|Data protection between buyer and supplier networks||
|Other protection between networks||
The system is fully secured using HTTPS / TLS 1.3.
Connections made using insecure HTTP will be automatically redirected to HTTPS connections, and no insecure HTTP connections will be possible.
All system-level access to the hosting platform is via secure SSH and SFTP protocols over a private VPN.
Any client access is only accepted via secure SSH, SFTP and FTPS connections.
A strict 90-day password expiration policy is enforced for all accounts.
The system is protected by a firewall, CDN and web application firewall.
Additional access restrictions may be configured at the CDN level.
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
99.98% for Standard Hosting
100% for High Availability Hosting
On a case by case basis, we offer service credits which are discussed as part of the contract process.
|Approach to resilience||
We monitor our Drupal and CiviCRM platforms via HTTPS by checking a never cached URI, to confirm that it responds with expected content so that the uptime report gives accurate information on both Nginx server, PHP-FPM backend and Database server availability.
We never pause this monitoring, even during scheduled maintenance, which means that our real average uptime is 99.99% to 100%.
Our managed hosting provider, runs its own fully redundant diverse fibre connection BGP4 network (AS30827) on Juniper MX80 series carrier grade routers with direct connectivity to LINX and Tier-1 networks. Routers check all available networks and choose the quickest path. In the event of one Internet route failing, traffic is rerouted via alternative networks.
Our data centre provider, has both ISO 27001:2013 Information Security and Business Continuity certification and ISO 22301 Business Continuity Management certification.
Local auto-healing is used to monitor and repair possible issues on the server, and this process runs every 5 seconds. If a web or database process becomes unresponsive, then it will be automatically restarted before an issue has time to develop. All issues are logged for further analysis and reporting if needed.
Incidents (high error rates, unusual resource usage, etc) and outages (service failure, web site unavailable, etc) are reported directly to responsible parties via e-mail and/or text messages, as well as being reported to our internal monitoring system where teams can coordinate to resolve issues.
An API and public or private dashboard is also available upon request.
Identity and authentication
|Access restrictions in management interfaces and support channels||
A current username and password together with optional 2FA are required for access to our hosting systems.
Administrative connections may only be made over secured SSH or TLS channels.
It is impossible to have permanent access to your data (databases) - only temporary connections may be made while a concurrent and authorized SSH connection is open from the same IP address.
Access to filesystems is restricted via temporarily authorized and tracked SSH keys.
A password strength and rotation policy is in place and enforced.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
|Devices users manage the service through||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||Between 1 month and 6 months|
|How long system logs are stored for||Between 1 month and 6 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||Interxion / The British Standards Institute|
|ISO/IEC 27001 accreditation date||14/07/2017|
|What the ISO/IEC 27001 doesn’t cover||Website Express does not hold the certification directly, however, our data centre provider has a current INFORMATION SECURITY MANAGEMENT SYSTEM - ISO/IEC 27001:2013 certification that covers the security of the service.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Who accredited the PCI DSS certification||Sage Pay Europe|
|PCI DSS accreditation date||09/06/2018|
|What the PCI DSS doesn’t cover||
Website Express does not hold the certification directly, however, Sage Pay Europe, our preferred online payment partners, have current Payment Card Industry Data Security Standard (PCI DSS) certification.
• PCI DSS
• PCI DSS v3.2
• PCI DSS v3.2 Level 1 Service Provider
We also integrate with other online payment providers, based on client preferences which can provide this certification for e-commerce functionality.
In addition, we can integrate GOV.UK Pay which uses payment processes that are fully Payment Card Industry (PCI) compliant.
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||No|
|Security governance approach||
As Website Express does not directly host systems, we do not have ISO 27001:2013 certification, however as part of our ISO 9001:2008 certified quality management system, we require this standard for all our managed hosting, data centre and cloud backup providers.
Managed hosting provider, Extraordinary Managed Services, has ISO 27001:2013 Information Security and Business Continuity certification.
Data centre provider, Interxion, has ISO 27001:2013 Information Security and Business Continuity certification and ISO 22301 Business Continuity Management certification.
Cloud-based backup provider, Amazon AWS, has certifications including ISO 9001, 27001, 27017 and 27018 as well as Cyber Essentials Plus and more national frameworks.
|Information security policies and processes||As part of our annual, audited ISO 9001:2015 quality system, we have defined roles and responsibilities for information security, with overall responsibility being held by a Website Express Ltd. Director.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
We follow a robust change management process which is audited annually under our ISO 9001 certification.
Changes are assessed for their impact and risk, and a process of continual identification, monitoring and review of the levels of IT services specified in the SLA ensure that quality is maintained.
All changes are implemented through a version-controlled configuration management system and progress through a series of automated and manual testing steps before being applied to the 'live' infrastructure.
This systematic and comprehensive approach ensures that changes to services are reviewed, tested, approved and communicated.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
We follow the NIST Common Misuse Scoring System (NISTIR 7864). Each potential vulnerability is scored using this system.
The hosting platform (operating system, software, and applications) receives automated security patching for all software directly from the OS maintainers, with security patches applied as soon as they are available and have been tested on pre-production environments.
Alerts and newsletters are available from the maintainers, and technical staff monitor a number of respected advisory services for news.
Our Content Delivery Network provides a Web Application Firewall which is constantly updated to defend against newly released exploits.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Active web server monitoring will block the access first temporarily for one hour and permanently after many temporary blocks for any IP which is a source of DoS-like activity — too many connections in a very short timeframe.
Strict firewall monitoring automatically denies access temporarily for one hour if it detects too many failed login attempts for SSH, SFTP or FTPS, detects a port scan or other exploits.
The Web Application Firewall will similarly deny access to known exploits.
Staff are automatically notified during any potential compromise and will take immediate action at the infrastructure or application layer
|Incident management type||Supplier-defined controls|
|Incident management approach||Policies exist within our SLAs that describe our response process for common events, with coordination and escalation available for non-standard incidents. Users report incidents through our service desk via ticket, web chat, email or telephone, and are kept updated with the progress and state of the incident throughout the event via the ticketing system. Full incident reports are provided in the event of serious incidents (for example, extended outages or security events).|
|Approach to secure software development best practice||Supplier-defined process|
Separation between users
|Virtualisation technology used to keep applications and users sharing the same infrastructure apart||Yes|
|Who implements virtualisation||Supplier|
|Virtualisation technologies used||Other|
|Other virtualisation technology used||Xen hypervisor|
|How shared infrastructure is kept separate||
Customer instances have no access to raw disk devices but instead are presented with virtualized disks. The disk virtualization layer automatically erases every block of storage before making it available for use, which protects one customer’s data from being unintentionally exposed to another. Encryption is supported.
A mandatory firewall is enabled in a default deny-all mode and ports must be explicitly opened to allow inbound traffic. Each client is hosted within an isolated Virtual Private Cloud, preventing network connections from any other systems. "Sniffing" of network traffic is prevented at the hypervisor and interface level.
|Description of energy efficient datacentres||
Interxion (NYSE: INXN) is a leading provider of carrier and cloud-neutral
colocation data centre services in Europe, serving a wide range of
customers through over 45 data centres in 11 European countries.
Interxion’s uniformly designed, energy efficient data centres offer customers extensive security and uptime for their mission-critical applications.
Our PUE measures, even where using mechanical cooling and in an always-on environment, are exceptional by any standards. We use free cooling and a custom cold-aisle containment solution to support higher power densities on low raised floors more efficiently, reducing the overall cooling overhead by as much as 30%. And both data centres on the London campus use 100% renewable energy.
For more information, please visit www.interxion.com
|Price||£525 to £1800 per unit per month|
|Discount for educational organisations||Yes|
|Free trial available||No|